The Abuses That Nearly Led To The Bulk Metadata Program Being Shut Down Aren't Considered 'Abuses' By The NSA

from the rules-are-for-the-nobodies dept

The set of minimization rules the NSA was supposed to apply to its bulk records collections was issued in 2006. As was noted here earlier, the FISA court laid down a number of limitations and restrictions in this document -- which the agency nearly immediately began violating.

The rules applying to bulk record searches is dated May 24, 2006. A footnote in Judge Walton's furious court order detailing the numerous violations indicates that the NSA began including domestic non-RAS (reasonable and articulable suspicion) numbers on its Alert List shortly thereafter. An NSA report to the FISC dated August 18, 2006 made this statement:

[R]ather than conducting daily queries of the RAS-approved foreign telephone identifier that originally contacted the domestic number, the domestic numbers were included in the alert list as, "merely a quicker and more efficient way of achieving the same result…"

While the end point may seem indistinguishable, the methods aren't and the NSA was forbidden from running searches using non-RAS domestic numbers. This points to the general tendency of the NSA and FBI to opt for the fastest route, rather than the constitutional route.

The agency's defense of its abuse boiled down to two arguments, neither of which impressed Judge Walton.

The first claim was that the non-compliance "resulted from a belief by some personnel within the NSA that… [the] Court's restrictions… applied only to "archived data." Walton shot back that this claim "strained credulity," adding that he found it hard to imagine why the court would allow the "critical" RAS requirement to hinge on whether the data had been archived or not. He nailed the lid shut on the argument with this sentence.

Indeed, to the extent that the NSA makes the decision about where to store the incoming BR [bulk records] data and when archiving occurs, such an illogical interpretation of the Court's Orders renders compliance with the RAS requirement merely optional.

The NSA buttressed its first claim with a second one that blamed its immediate oversight, rather than the less-specific "some personnel."

The NSA also suggests that the NSA OGC's [Office of General Counsel] approval of procedures allowing the use of non-RAS-approved identifiers on the alert list to query BR metadata not yet in the NSA's "archive" was not surprising, since the procedures were similar to those used in connection with other NSA SIGINT collection activities.

Walton tore that argument down as well, stating the lack of compliance wasn't simply a "terminological misunderstanding," but a willing decision by the agency to treat all collections uniformly despite there being specific, court-ordered procedures in place to handle incoming BR data.

Further compounding the abuses of the BR data was the NSA's obfuscation of the alert process it (mis)used to search incoming collections. Walton notes that the agency "repeatedly submitted inaccurate descriptions of the alert process." The NSA, in turn, blamed these misrepresentations on a failure by "those familiar with the program" to correct inaccuracies in a report prepared by the managing attorney of the NSA's Office of the General Counsel.

Walton responded to this by pointing out two reasons why the NSA should simply be accused of lying. One, the general counsel who prepared the draft asked for recipients to "make sure" everything contained in the report was true before he sent it to the court. Secondly, Walton footnotes a transcription of proceedings before FISC judge Malcolm Howard where a redacted representative of the NSA affirms that the report is "true and accurate to the best of his knowledge or belief."

The last excuse given by the NSA for its abuse of the BR metadata is perhaps the most damning.

Finally, the NSA reports that "from a technical standpoint, there was no single person who had a complete technical understanding of the BR FISA system architecture."

This is astounding. The NSA openly admits it had no one qualified to deal with tons of metadata, much of which included details on American citizens, and yet it continued to operate the program, expand its Alert List and forge ahead using its own set of rules. At no time did it attempt to seek clarification from the court and at no time did it rein in its collection or querying efforts out of concern it might be violating the privacy of American citizens.

Instead, it did the opposite. It sought permission from the court to expand the number of analysts authorized to access the BR data. And "mistakes" continued to be made. The NSA ensured the court in it would be training the new analysts, but reports continued to filter back detailing more failures.

Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "without being aware they were doing so."

…[F]rom May 2006 until February 18, 2009, the NSA continues to uncover examples of systemic noncompliance.

The uncomfortable truth of the matter is that the FISC judges have to rely on the NSA's narrative of how the programs are being used in order to determine whether requests can be approved. The NSA had a very nice setup, but it couldn't even keep that together. Three years of abuses almost led to the entire bulk records program being shut down by Judge Walton. He wraps up his court order with several damning paragraphs that call out the agency for its extended malfeasance.

It has finally come to light that the FISC's authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses BR metadata. This misperception… existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government's submissions, despite a government-devised and Court-mandated oversight regime.

The minimization procedures… have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively.

[Nearly all of the call detail records collected pertain to communications of non-US persons who are not the subject of an FBI investigation… [or] are communications of US persons who are not the subject of an FBI investigation… and are data that otherwise could not be legally captured in bulk by the government.

After running down the abuses, Walton again points out how the NSA's actions have effectively turned every layer of "oversight" into a joke.

[T]he Court must rely heavily on the government to monitor this program to ensure that it continues to be justified… and that it is implemented in a manner that protects the privacy interests of US persons as required by applicable minimization procedures. To approve such a program, the Court must have every confidence that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders.

The Court no longer has such confidence.

Five years later, however, the program continues. Walton's order severely limited the NSA until it got a handle on the bulk records program. Walton allowed the collections to continue but forced the NSA to run search requests through the FISC on a "case-by-case" basis.

But were these cases "abuse?" The NSA's stance has been (up until recently) that no abuse has occurred. Some NSA officials probably still believe that nothing that happened between 2006 and 2009 constitutes "abuse," at least not according to any definition it uses.

As the leaks began to filter out into the media, the NSA's defenders have stressed repeatedly that the agency has not abused the rights of Americans, or carried out illegal programs. When evidence surfaced that thousands of incidents of abuse occurred every year, it turned supporters and insiders like Sen. Feinstein ("...the committee has never identified an instance in which the NSA has intentionally abused its authority to conduct surveillance for inappropriate purposes...") and NSA Director of Compliance John Delong ("These are not willful violations, they are not malicious, these are not people trying to break the law.") into liars, or at the very least, dispensers of half-truths.

The defenders of the agency hedge in order to give thousands of apparent abuses the appearance of slight, inadvertent violations. Defending itself from accusations of abuse is about the only place the NSA seems interested in deploying any form of minimization. Feinstein hedges by stating the "committee" has never identified abusive instances (which have to be "intentional" -- an apparently subjective term). Well, considering the committee's role as the premier NSA apologist, it's hardly surprising it's never "identified" any abuse. It's really not interested in looking for any.

Delong hedges as well, using "willful" and "malicious" to make the NSA's convenient "misunderstanding" of the minimization guidelines (which, for a legal document, are surprisingly clear) appear to be privacy-violating errors rather than instances of abuse.

But the NSA does abuse its power and it does violate the privacy of Americans. Just because the analyst doesn't sit down at the desk and start searching for an ex-girlfriend's data (oh wait...), doesn't mean what happened for three straight years under Alexander's watch any less abusive.

Operating a system you don't understand to harvest data on Americans indiscriminately is a form of abuse. Attempting to get away with treating a very specifically regulated program as indistinguishable from other NSA programs not subject to strict limitations is a form of abuse. It's an abuse of the power granted by the Court. It's abuse of the rights of American citizens. But it's never considered abuse by the abusers -- who rationalize everything away as a typo or a misinterpretation or improper training or anything but what it actually is.

I work in retail. If my register is short/over money at the end of the day, I get written up by my manager. If it happens several times, I will be let go. It doesn't matter whether it's intentional or not, I'm responsible for the money. I don't have the option of reporting to upstairs only what I want to report, or of lying.
That is what happens if I lose the company what is, to it, a paltry sum.
Here, in the NSA, it doesn't matter if it's intentional or not. You're not held accountable for your actions. NSA agents have the potential to wreak havoc using all the data they have access to, damage worse than what I could potentially cause to my company...and yet, they don't even get a slap on the wrist?

audits?

If Snowden used used credentials of higher-ups to access massive amounts of material without any flags for these accounts being tripped... one has to think these accounts weren't subject to audits like the rank and file analysts.